Security Awareness

How to avoid getting locked out of your own account with multi-factor authentication

October 19, 2020 by Greg Belding

Multi-factor authentication (MFA) is one of the most popular authentication security solutions available to organizations today. It really comes as no surprise, as the multi-factor authentication benefits of enhanced security go beyond the basic password security measures by forcing the user to authenticate with another method that (presumably) only the legitimate user has access to. 

While multi-factor authentication benefits are substantial, there is a new risk that has emerged: getting locked out of your own account. This article will detail how to avoid getting locked out of your account with multi-factor authentication and will explore the benefits of multi-factor authentication as well as the risk that not using multi-factor authentication presents.

What is multi-factor authentication?

Multi-factor authentication is an advanced authentication method that goes beyond the traditional password to offer better security for authenticating devices, applications and web-based sessions. Also known as two-factor authentication (2FA), MFA refers to five categories of authentication factors:

  1. Knowledge: Something that the user knows (username, password and PIN)
  2. Possession: Such as a safety token
  3. Heritage: Refers to retina verification, fingerprint or voice recognition
  4. Place: User’s physical position
  5. Time: Time-sensitive window of opportunity for authentication

Benefits of Multi-Factor Authentication (MFA)

Multi-factor authentication solutions are becoming an integral part of the organizational security profile. Below are some of the reasons why organizations are turning to MFA.

Multi-Factor Authentication provides stronger security

Central to MFA is the fact that each authentication factor compensates for the weaknesses of the other factors. For example, a less than strong password can be compensated for with a physical MFA USB key. Having the extra layer (or more) of authentication factors means stronger security over the traditional single-factor authentication process.

Multi-factor Authentication fulfills compliance needs

Compliance standards are a necessary part of many industries and many legal and regulatory standards, such as in the financial industry, require that MFA be implemented within an organization. Other regulatory standards, such as HIPAA in healthcare, require that a strong authentication process is implemented, leaving the choice of what to implement up to the organization. MFA meets the regulatory compliance standards of multiple industries, which is another reason why organizations are adopting multi-factor authentication solutions.

Multi-factor Authentication offers simplification

Using multiple authentication methods to authenticate a user may seem like it would complicate an organization’s user authentication processes; in reality, it produces simplification. With single sign-on, once the user is authenticated, they are given access to all of the organization’s covered apps. For example, if a user normally accesses five organization apps, one authentication can replace five separate authentications.

Risk associated with Multi-Factor Authentication

Despite the benefits of MFA, there is also an inherent risk associated with it. I am referring to this as the “use it or lose it” rule. This refers to the risk that if MFA is not enabled and an attacker gains access to an account and enables it, the attacker sets the authentication factors. Therefore, the attacker has the power over authentication which would lock the user out of their own account. Use it or lose it indeed.

Attackers know that while MFA is becoming more available and used, there still are organizations that have not enabled it and may never. This is because many organizations fear they will drive away good employees by increasing security. Never being shy to take advantage, attackers use MFA like any other tool in its arsenal.

How to avoid being locked out of your account

Being locked out of your account is a risk that may be a clear and present danger for your organization. (Yes, I am talking especially to the organizations that fear more security implementations will cull their workforce.) By following the recommendations below, you can avoid the MFA pitfall of being locked out yourself.

Enable Multi-Factor Authentication

Enabling MFA is the easiest way to avoid being locked out of your account by an attacker that has enabled it before you do. While organizations have their own reasons for not enabling MFA (such as fear of driving off users), the fact is that MFA is becoming more commonly used and chances are most users have used MFA at some point by now. Therefore, the fear of implementing MFA should be tempered by demonstrating how easy it is to use (especially with single sign-on) and that the increased security that MFA offers may help prevent attacks that will lock users out in the first place.

Enrolling additional factors

After MFA is enabled, users can still be locked out of their account. This can occur when the user forgets their MFA authentication factors (such as their PIN or password), loses their device with that factor stored within or their secondary device that generates a recovery code (such as their smartphone for SMS-based authentication). 

Enrolling additional factors, such as a secondary phone number for SMS, voice recognition or a safety token, can give an extra authentication method to the user as well as an extra layer of security overall.

Multi-Factor Authentication: not a panacea

MFA definitely improves security, but it is not a perfect panacea, as it only applies to authentication. Attackers have other methods of compromise such as phishing, token stealing and stolen biometric data. MFA should be only one part of an overall robust security strategy for an organization.

Conclusion

Multi-factor authentication is a security measure for authentication that offers substantial security advantages over the traditional 1FA authentication scheme. It allows for one or more extra layers of authentication factors that, if not enabled, can be used against the user by an attacker who turns it on after gaining a foothold on a compromised system. To avoid this, enable MFA with as many authentication factors as possible and use MFA as part of a comprehensive, robust organizational security strategy.

Sources

Multi-Factor Authentication (MFA): What is it and Why Do You Need it?, LoginRadius Identity Blog

Benefits of Multi Factor Authentication, GlobalSign Blog

90% of Gmail users could improve their security easily, but don’t, Sophos Naked Security Blog

Posted: October 19, 2020
Articles Author
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.